Every domain has a second life.
DomainDefender captures the full lifecycle, registered, resolved, expired, reused, weaponized, across every TLD we can access, and turns it into a reproducible research pipeline and a live defensive signal.
From birth to rebirth.
Every domain passes through a sequence of states. The interesting ones, the risky ones, come back to life under new ownership, inheriting the legitimate trust of their previous life as attack surface.
Legitimate inbound links accumulate over years, survive expiration, and still point to the same domain after re-registration, now under a different owner. That gap between stage 3 and stage 6 is the attack surface.
chart below is conceptual, showing the shape of the trust vs.
risk story. Not a measurement of any specific domain.
Five layers. Data flowing through.
Each layer deepens the record. Watch data flow from ground-truth registration facts up to detection-ready signals.
- 01
Zone File Collection
ICANN CZDS · RFC 1035 parserEvery registered domain under every accessible TLD, with all DNS record types.
domain tld dns_records{} parsed_at - 02
RDAP enrichment
RDAP (IANA bootstrap)Registrar, IANA ID, registration dates, nameservers, DNSSEC, EPP status, registrant country.
registrar registrar_iana_id creation_date expiry_date updated_date nameservers[] dnssec status[] registrant_country - 03
DoH liveness + IP intel
Cloudflare 1.1.1.1 · Google 8.8.8.8 · ip-apiRe-resolve every match over DoH. For each live IP, ASN / country / ISP via ip-api enrichment.
resolves resolves_a[] live_check_at ip_intel.{asn,country,isp} - 04
Brand-impersonation surface
match.py · cctld_probe.py · DoH-as-oracle242 brands × 5 detection layers (TLD-squat, homoglyph, idn-punycode, combosquat, dl1) joined against 1,160 TLDs.
brand layer candidate_sld tld tranco_rank - 05
Cross-reference + linking
PhishTank · URLhaus · CryptoScamDB · OpenPhish · ThreatFox · Phishing.DatabaseSix abuse feeds + a non-CDN IP/ASN graph layer. Trichotomy: known-bad / linked-bad / blind-spot.
known_bad_sources[] linked_bad defensive_likely blocklist_hit[]
What just happened in the dataset.
Time-sensitive slices, what's fresh, what's about to expire, what's aging, drawn from live data at build time.
Last 30 days.
- soek.men 2026-06-08
- olibanum.abudhabi 2026-05-22
- vips.homes 2026-06-07
- pppabblue.xyz 2026-05-28
- helicoptertour.abudhabi 2026-06-02
- supa.bot 2026-05-31
Next 30 days.
- acquainbocca.corsica 2026-07-07
- mekviatravel.online 2026-06-19
- ffh.frl 2026-07-12
- framelensphotography.pics 2026-06-25
- ceramics.coop 2026-06-23
- webdrive.kiwi 2026-07-15
How old are records?
Bucket by age at the time of the snapshot. Fresh domains are disproportionately risky signals for abuse research.
What 2,937,143 records tell us.
Direct aggregations off domain_metadata. Every number is real, computed at build time. Coverage per TLD is capped at a 5,000-domain stratified sample, so within-TLD percentages are estimates (±1.4% margin), not exhaustive counts.
Top 10 registrars.
When were these domains born?
By creation year.
Signed vs unsigned.
Share of records with DNSSEC delegation, by TLD.
Where registrants declare they are.
Top ISO-3166 alpha-2 registrant countries from the clean subset of the RDAP data.
source · domaindefender @ localhost:27019 · build-time snapshot
Same name, many extensions.
Second-level labels that appear under 3+ different TLDs in our sample. A rough proxy for defensive / brand-protection registrations, sometimes for campaign-style bulk buying. The colored chip on each row tells you which is which:
≥80% of registrations via one registrar. Single corporate footprint — Com Laude, MarkMonitor, CSC. Genuine brand-protection.
50–80% via one registrar. Some defensive registrations, the rest spread elsewhere — partial brand control.
<50% via one registrar. No single owner — opportunistic, contested, or many independent registrants sharing the name.
Hover any chip to see the dominant registrar, exact share, distinct registrar count, and HHI (Herfindahl-Hirschman Index — industry-standard concentration measure; 10 000 = monopoly, <2 500 = competitive).
The pulse of new registrations.
Count of domains created per day over the last 180 days, a daily reading of the registration firehose, drawn straight from the RDAP creation_date.
How long is a domain bought for?
expiry_date − creation_date. Most registrations are minimum-term (one year), long-lead 5+ year terms are the rare infrastructure investments.
Which registrars sign by default?
DNSSEC adoption is still uneven across the industry. These are the registrars with the highest share of signed delegations, filtered to those with at least 100 record domains in our sample.
How domains are locked.
Every RDAP record carries a set of EPP status flags. They encode who has locked what: registrar locks (client*) and registry locks (server*). Frequencies below reveal the defaults of the industry, transfer locks are near-universal, delete/update locks much rarer.
Who actually runs the internet's DNS?
Every record lists its authoritative nameservers. Rolled up to the provider family (second-level suffix), a handful of operators are visible behind a very long tail of small self-hosted setups.
counts are distinct domains, a domain delegating to ns1+ns2 of the same provider counts once
Five lenses on what attackers actually name.
From basic structural patterns (length, hyphens, IDN) to specific abuse signatures (lookalikes, bulk-bursts). Each tab is its own slice; the underlying data is the same.
What domain names look like.
Length, character class, and encoding patterns of the second-level label. Abuse research cares about these: long random-looking strings, double hyphens, and numeric-heavy names correlate with disposable registrations.
How long is the name itself?
Characters in the second-level label (before the dot).
How often do these show up?
Share of records (n = 510,189).
Look at individual records.
Aggregations are useful but sometimes you need to see one domain at a time — the oldest in the dataset, the shape of a record, or what's flowing through right now.
The extremes of the dataset.
The oldest domains we have indexed, some registered in the early 90s, still live and paid for, alongside the freshest ones minted in the last few hours.
Still alive after 3+ decades.
(no data)
Minted in the last few hours.
(no data)
Real TLDs. Real counts.
0 well-known TLDs from our zone corpus, 0 domains shown here, drawn at build time. Bubble size is proportional to the log of domain count.
Where in the world.
Registrant country is the geographic signal at registration time. Hosting region is the geographic signal at resolution time. They tell different stories.
Where registrants declare they are.
Plotted from the registrant_country field of the RDAP response. Country outlines come from Natural Earth (110m). Drag the globe to rotate; click any country to open its detail card. Lens switcher changes what the colors track.
32,802 records have a clean ISO country we don't have a centroid for, bubbles skipped (country polygon still drawn).
How clean is the data?
Not every RDAP call succeeds. Some registries rate-limit, some don't publish RDAP at all, some time out. The rdap_status field records the outcome for every attempt. These are the real success/failure shapes.
Top 10 TLDs with ≥ 200 RDAP attempts.
(no TLD-level data)
Query the corpus, programmatically.
The same live MongoDB aggregations powering this site, exposed as a versioned REST API. Lifecycle endpoints (fresh / expiring / pending-delete / stale) are the core differentiator, plus per-domain biography that commercial infrastructure-graph vendors don't publish.
# corpus size + latest record, public
curl https://api.domaindefender/v1/meta
# full record for a single domain
curl -H "X-API-Key: $KEY" \
https://api.domaindefender/v1/domain/example.com
# lifecycle — what registered in the last 7 days?
curl -H "X-API-Key: $KEY" \
https://api.domaindefender/v1/lifecycle/fresh?window_days=7Why open.
Collection code and record schemas are published so findings can be independently verified.
Domain records are made available to researchers on request, under terms consistent with ICANN CZDS.
Every layer of the pipeline is documented: what is collected, how, from where, and with what known limitations.
Read next.
Filter a 3,000-record sample by TLD, registrar, length, DNSSEC, and age, client-side, no round trips.
Every TLD in the dataset with zone size, record count, coverage, and first-seen date.
Spin to pull a random record. Useful for eyeballing the shape of the corpus one record at a time.
Two TLDs side by side, volume, DNSSEC rate, median age, top registrar, fresh-registration count.
DNSSEC defaults, transfer-lock coverage, median age, favorite TLD, registrar vs. registrar.
Cross-tabulated analytics: country × TLD heatmap, registrar→cloud flow, age×volume scatter, and more.
Coverage, infrastructure signals, refresh history.
Field-by-field documentation of the domain_metadata record, with live presence rates.
A dated record of the platform, the dataset, and research milestones.
Browse detail pages for every top TLD and top registrar in the dataset.
Researchers and practitioners can request dataset access or propose collaborations.